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WHAT IS CLAIMED IS: 

1 . A method of at least partially securing communications, via a Host Identity 
Protocol, HIP, proxy, between a first host which is not HIP enabled and a second host 
which is HIP enabled, the method comprising: 

sending a query from the first host to resolve the Internet Protocol, IP, address 
of the second host; 

in response to said query, retrieving an IP address and Host Identity Tag, HIT, 
associated with the second host, returning from the proxy a substitute IP address 
associated with the second host, and maintaining at the proxy a mapping between the 
substitute IP address, the retrieved IP address and the retrieved HIT; and 

upon receipt of a session initiation message at the proxy from the first host 
including as its destination address the substitute IP address, using the mapping to 
negotiate a secure HIP connection between the proxy and the second host. 

2. A method as claimed in claim 1, comprising looking up the retrieved IP address 
and the retrieved HIT from the mapping based on the substitute IP address in the session 
initiation message, and performing the HIP negotiation using the retrieved IP address 
and the retrieved HIT to locate and identify the Responder together with an IP address 
and HIT of the proxy to locate and identify the Initiator. 

3. A method as claimed in claim 1 or 2, wherein the retrieved IP address is the IP 
address of a Forwarding Agent used by the second host, and further comprising 
initiating the HIP negotiation between the proxy and the second host by sending the 
initial HIP negotiation packet to the Forwarding Agent. 

4. A method as claimed in claim 3, further comprising, following receipt of the 
actual IP address of the second host at the proxy during the HIP negotiation, including 
the actual IP address in the mapping maintained at the proxy. 

5. A method as claimed in claim 4, wherein the retrieved IP address is replaced in 
the mapping by the actual IP address following its receipt at the proxy. 
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6. A method as claimed in claim 1 or 2, wherein the retrieved IP address is the 
actual IP address of the second host. 

7. A method as claimed in any preceding claim, further comprising, for an 
outgoing message received at the proxy after the secure HIP connection has been 
established including as its destination address the substitute IP address, using the 
mapping to route the message over the secure HIP connection to the second host. 

8. A method as claimed in claim 7, when dependent on claim 4, comprising 
looking up the actual IP address and the retrieved HIT from the mapping based on the 
substitute IP address in the outgoing message, and routing the outgoing message to the 
second host using the actual IP address and the retrieved HIT to locate and identify the 
destination of the message, and using; an D? address and HIT of the proxy to locate arid 
identify the source of the message. 

9. A method as claimed in any preceding claim, further comprising completing the 
establishment of communications between the first and second hosts by forwarding the 
session initiation message from the proxy to the second host over the secure HIP 
connection, replying with a session acknowledgment message from the second host to 
the proxy over the secure HIP connection, and routing the session acknowledgment 
message to the first host. 

10. A method as claimed in claim 9, wherein the session acknowledgment message 
is a TCP ACK message. 

11. A method as claimed in any preceding claim, wherein the session initiation 
message is a TCP SYN message. 

12. A method as claimed in any preceding claim, further comprising, for an 
incoming message received at the proxy from the second host over the established 
secure HIP connection, using a NAT function of the proxy to route the message to the 
appropriate destination host. 
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13. A method as claimed in any preceding claim, wherein the query is a DNS query. 

14. A method as claimed in any preceding claim, wherein the proxy performs the 
step of retrieving the IP address and HIT associated with the second host. 

15. A method as claimed in claim 14, wherein the proxy retrieves the IP address and 
HIT associated with the second host from an external DNS server. 

16. A method as claimed in claim 14, wherein the proxy retrieves the IP address and 
HIT associated with the second host from an internal DNS server. 

17. A method as claimed in any rjrece,ding claim, wherein the proxy intercepts the 
DNS query from the first host. , v 

18. A communications system comprising a first host which is not Host Identity 
Protocol, HIP, enabled, a second host which is HIP enabled, and a HIP proxy, wherein: 

the first host comprises means for sending a query to resolve the Internet 
Protocol, IP, address of the second host; 

the proxy comprises means for retrieving, in response to said query, an IP 
address and Host Identity Tag, HIT, associated with the second host, for returning a 
substitute IP address associated with the second host, for mamtaining a mapping 
between the substitute IP address, the retrieved IP address and the retrieved HIT, and for 
using the mapping, upon receipt of a session initiation message from the first host 
including as its destination address the substitute IP address, to negotiate a secure HEP 
connection between the proxy and the second host. 

19. A method for use by a Host Identity Protocol, HIP, proxy of at least partially 
securing communications, via the proxy, between a first host which is not HIP enabled 
and a second host which is HIP enabled, the method comprising: 

receiving a query from the first host to resolve the Internet Protocol, IP, address 
of the second host; 

in response to said query, retrieving an IP address and Host Identity Tag, HIT, 
associated with the second host, returning a substitute IP address associated with the 
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second host, and maintaining a mapping between the substitute IP address, the retrieved 
IP address and the retrieved HIT; and 

upon receipt of a session initiation message from the first host including as its 
destination address the substitute IP address, using the mapping to negotiate a secure 
HIP connection between the proxy and the second host. 

20. A Host Identity Protocol, HIP, proxy for use in at least partially securing 
communications, via the proxy, between a first host which is not HIP enabled and a 
second host which is HIP enabled, comprising: 

means for receiving a query from the first host to resolve the Internet Protocol, 
IP, address of the second host; 

means for retrieving, in response to said query, an IP address and Host Identity 
Tag, HIT,' associated with the second host, returning a substitute IP address associated 
with the second host, and maintaining a mapping between the substitute IP address, the 
retrieved IP address and the retrieved HIT; and 

means for using the mapping, upon receipt of a session initiation message from 
the first host including as its destination address the substitute IP address, to negotiate a 
secure HEP connection between the proxy and the second host. 

21. An operating program which, when run on a HIP proxy, causes the proxy to 
carry out a method as claimed in claim 19. 

22. An operating program which, when loaded into a HIP proxy, causes the proxy to 
become one as claimed in claim 20. 

23. An operating program as claimed in claim 21 or 22, carried on a carrier medium. 

24. An operating program as claimed in claim 23, wherein the carrier medium is a 
transmission medium. 

25. An operating program as claimed in claim 23, wherein the carrier medium is a 
storage medium. 



